Malware Analysis Report

2025-01-23 12:34

Sample ID 230515-vwa4xsfb2v
Target 5f20ff6a832886ee5320ce62109c8f7b8bca66ba9c2181a65b9bfccbbcbea11b.zip
SHA256 4adc7e50844e46826287646db3009dc2c64e4a7d94c408f14019c04880386e91
Tags
spynote banker
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4adc7e50844e46826287646db3009dc2c64e4a7d94c408f14019c04880386e91

Threat Level: Known bad

The file 5f20ff6a832886ee5320ce62109c8f7b8bca66ba9c2181a65b9bfccbbcbea11b.zip was found to be: Known bad.

Malicious Activity Summary

spynote banker

Spynote family

Spynote payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-05-15 17:19

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write (but not read) the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-15 17:19

Reported

2023-05-15 17:22

Platform

android-x86-arm-20220823-en

Max time kernel

544175s

Max time network

131s

Command Line

eg.sy

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

eg.sy

Network

Country Destination Domain Proto
NL 142.250.179.202:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:853 tcp

Files

/storage/emulated/0/service player/config15-05-2023.log

MD5 c93337575e57f1510b7cc69f5c72eda8
SHA1 c5f1ddbed6392aa423ad604c86e4bbc2d8fd9397
SHA256 27cd38ab146c9e48fb40dc879b1018f6620c1f09e8cfa79b9b86cfa9f985b0d3
SHA512 e7333477ec2ceb2cd190dabea12486a605bfd9416c06082cd18622e2db4cd7d8fce0d7c582c6ddbb201e8aab2b3868566458644861ffc5a440acc75bacc507c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-15 17:19

Reported

2023-05-15 17:22

Platform

android-x64-20220823-en

Max time kernel

544041s

Max time network

161s

Command Line

eg.sy

Signatures

N/A

Processes

eg.sy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp

Files

/storage/emulated/0/service player/config15-05-2023.log

MD5 962ee9e19f09a4737529223e2b73e802
SHA1 29ef5c2bf446f1522eb92235822689eb32525ff5
SHA256 5213754172bd4f6ff3637910414930d2fc38cc7cbcbf35de10f6537cab12ee8e
SHA512 b0d69370d657a04ad03b01d0e993812e4a939a91ea94d1a3d01fa7c85bdf405c885232534eae378a628479aaca1c3851128ee7307ce25c7561bab973e05f48b8

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-15 17:19

Reported

2023-05-15 17:22

Platform

android-x64-arm64-20220823-en

Max time kernel

544185s

Max time network

139s

Command Line

eg.sy

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

eg.sy

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 172.217.168.226:443 tcp
NL 142.251.39.102:443 tcp
NL 142.250.179.170:80 play.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 216.58.214.10:80 play.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp

Files

N/A